The present invention is related to wireless networks, and in particular to network security and detecting rogue access points in an infrastructure wireless network.
Use of wireless networks such as wireless local area networks (WLANs) is becoming widespread. Furthermore, network security is becoming more and more important. Wireless networks present important network security concerns. One such concern is detecting rogue wireless stations.
A WLAN may be ad hoc, in that any station may communicate directly with any other station, or have an infrastructure in which a station can only communicate with another station via an access point (AP). The access point is typically coupled to other networks that may be wired or wireless, e.g., to the Internet or to an intranet. That wider network is called the “wired” network herein, and it is to be understood that this wired network may be an internetwork that include other wireless networks.
One aspect of the present invention addresses detecting rogue APs. We are mostly concerned with two types of rogue APs:                An AP that is connected to a wired network of interest, e.g., to an otherwise secure LAN without authorization, and that thus may present a security hole for the secure network.        An AP that is not connected to the wired network of interest but is in the radio environment of a wireless network (WLAN) of interest. Such an AP, by accepting associations may interfere with the WLAN of interest, e.g., by hampering potential client stations (“clients”) from accessing their wireless network.        
A rogue AP may be a malicious or non-malicious rogue AP. A non-malicious AP, for example, is the AP of a user who sets up such an AP for personal use either connected to the wired network of interest not in the wireless network of interest, without intentionally thwarting detection. Such a user is likely to use out-of-the-box default configuration. Therefore, when used in the radio environment of a WLAN of interest, the SSID of such a non-malicious AP typically will not match the SSID of the WLAN of interest.
A malicious rogue AP is one set up by a user in order to gain access to a wired network of interest, e.g., a secure LAN. Such a malicious AP may spoof the MAC address of a legitimate AP. Such a malicious AP may further set parameters such as the power, channel, and SSID again to spoof those of a legitimate AP in order to minimize the likelihood of being detected.
WLANs suffer several potential problems because of rogue access points. A rogue access point when connected to a secure network may cause the network to become insecure if proper security measures have not been enabled on the access point. In a well-designed WLAN, the access points typically have been configured to provide a certain level of coverage and capacity. Rogue access points can cause degradation to such planned coverage and capacity by causing contention with a legitimate access point, by causing collisions with a legitimate access point, and even by possibly causing denial of service for a legitimate client station.
There therefore is a need in the art for methods of detecting rogue APs.
Prior art methods for detecting rogue access points include having clients report failed authentication attempts on other APs, or detecting failed authentication attempts by the APs themselves. For example, an authentication tattletale method is known for reporting rogue access points. See U.S. patent application Ser. No. 09/917,122, filed Jul. 27, 2001, now issued as U.S. Pat. No. 7,181,530, assigned to the assignee of the present invention, and incorporated herein by reference. Such a prior-art method typically includes configuring a station with the appropriate identifier of the WLAN—a service set identifier (SSID)—to make an authentication attempt. Only rogues that are in the proper location to the clients i.e., in radio contact for an attempt at authentication can be detected. This can result in a delayed detection or no detection at all.
Other prior art methods include using some type of sniffer device that can be carried in the WLAN coverage area. An operator periodically walks the WLAN coverage with the sniffer device making measurements to search for rogue APs. See, for example, “AiroPeek and Wireless Security: Identifying and Locating Rogue Access Points” from WildPackets, Inc., Walnut Creek, Calif. (version dated Sep. 11, 2002).
Also known is a sniffer technique that uses APs as sniffers. See, for example, the document “AirWave Rogue Access Point Detection,” from AirWave Wireless, Inc., San Mateo, Calif. (www.airwave.com). Such APs are managed from a central location by a management entity. Most of the time, such a managed AP acts as regular access point. When a rogue scan is being conducted, a management entity issues a command, e.g., an SNMP command to the managed AP, converting it into a wireless sniffer. The managed AP scans the airwaves within its coverage radius, looking for traffic on all channels. The AP then reports all data back to the management entity as a trace, and then returns to normal operation mode. The management entity analyzes the traces from managed APs and sentry devices, comparing the detected APs to its database of authentic, managed APs. Such a method, however requires the AP to cease normal operation.
Prior art techniques are known for detecting rogue APs that require having a connection, e.g., a wired connection to the rogue AP. However, because a rogue AP may be a device installed at a neighboring location, detection methods that require a wired connection may not always succeed.
Prior art techniques for locating the switch ports to which a rogue AP is connected include what are termed correlation-based solutions that utilize an 802.11 radio MAC address to the wire-side MAC address of the rogue AP. Once the MAC addresses are correlated, the edge switches may then be searched to locate the MAC address. MAC addresses may also be captured from client station that are associated with the rogue AP, and these captured address may also be used to search edge devices to locate the rogue AP.
However, these correlation-based solutions will only operate if the heuristics employed are successful; that is, if a correlation does indeed exist. This may be problematic as many access points exist in which there is no relation between the radio MAC address and the Ethernet MAC addresses. Additionally, searching for an associated client's MAC address requires both that a client be associated with the rogue AP, and that the rogue AP be located in a location such that managed access points can receive transmissions from the client. Such methods can result in an uncontrolled client being associated with the rogue AP, potentially further compromising network security.
Additionally, such prior art methods assume that the rogue AP is not performing a NAT function for the client.